Curious if anyone has come across this scenario yet. We have a project to replace some legacy ASAs with some new 2110 FTD appliances and one of the road blocks we are running into is duplicating the functionality on FTD that allows for automated VPN failover to a secondary ISP circuit or backup circuit. The internet traffic failover is not a problem, however the way that FTD VPNs are configured is that they are bound to a specific interface upon creation, this inherently prevents it from being established on the backup circuit should the primary go down and requires manual intervention to change the tunnel configuration to use the backup interface and re-deploy the policy.
Legacy ASA code made this very easy by simply binding the cryptomap to both the primary and backup interfaces, and on the remote side to include the primary and secondary IPs in the crypto map set peer statement. I'm not seeing where this can be duplicated on FTD at this time, and FlexConfig profiles do not look promising either as VPN statements are said to be excluded since VPNs are configurable through the FMC.
Hoping I'm not the first to have this need and am interested in what others may have done to get around this limitation.
Regards,
Jason
